CCPA compliance: how it will change the way you market in 2020 and beyond

Some people subscribe to the idea that the only constant in life is change. If you have looked at your inbox in the last few weeks, then you know that the only real constant in life is change to Privacy Policies. Seriously though, why is everyone sending these emails about updates to their Privacy Policy?

Is it GDPR again? No, it’s time for a different privacy law to have its proverbial moment in the sun – the California Consumer Privacy Act of 2018 (CCPA).

As a marketer though, what does this all have to do with you? The truth is that the collection, use and disclosure of personal information has become an actual big deal only in the last few years. Prior to that, it was kind of a wild west. So why should you care about privacy now?

Privacy laws are no joke as they impose heavy fines for non-compliance. These fines can range from $2,500 per violation (per person whose privacy rights you have violated) to €20,000,000;

Consumers care about their privacy. In fact, according to a study performed by Pew Research, 79% of Americans are very or somewhat concerned about how companies use the data they collect. Every good marketer knows that it’s smart to listen to their audience.

If you are based in the US or the EU, the following privacy laws affect your work:

The General Data Protection Regulation (GDPR) introduced the concept of consent, meaning that marketers need to ensure that their email lists are from people who affirmatively want to receive those emails. EU residents can also opt out of direct marketing or ask you to delete their information altogether. Obviously, Privacy Policies changed and privacy concerns started affecting how marketing is done.

Nevada’s SB 220 went into effect on October 1st, 2019 and has not really had a chance to make an impact yet. However, it requires certain companies to disclose whether they sell the personal information of residents of Nevada and allows such residents to opt out of sales. This new law affects marketers who buy lists.

The California Online Privacy Protection Act of 2003 (CalOPPA) requires any website that collects the personal information of residents of California to have a Privacy Policy.

And now, a new law has been passed, the CCPA, which, as you will see, will affect your work as well.

We know that all of these updates and changes in privacy law can be overwhelming so we put together this article so that you can quickly understand how the CCPA affects your work and what you can do to get compliant. We will discuss:

What the CCPA is and what it does;

Who it applies to;

Changes that you need to make to your Privacy Policy to continue marketing to residents of California;

How the rights that residents of California receive under the CCPA may affect your work; and

What other privacy changes are on the horizon and what you can do to prepare for them.

As a marketer, your work will change because of the CCPA. Since this law goes into effect on January 1, 2020, it is imperative that you start your preparations now. So let’s get into it!

CCPA: a brief overview

The CCPA has been referred to as the GDPR of the United States, probably because it is the first fully comprehensive privacy law that we have seen in this country (that does not concern financial data, health data or the data of children). However, there are some big differences between CCPA and GDPR, including how the CCPA came about.

The CCPA was first introduced by a real estate developer for the November 2018 ballot. This ballot gained a lot of attention because it put consumers’ privacy rights at the forefront by being one of the most consumer-friendly privacy bills ever introduced. The proposed bill was widely popular amongst consumers and their advocates and thus got the attention of the California state legislature. In the interest of coming to a compromise, the real estate developer agreed to withdraw his ballot if a similar privacy law was passed. The legislature then introduced, amended and passed their version of the CCPA by June 18, 2018. Since that time, the CCPA has been amended a few more times and California’s Attorney General has issued proposed regulations that are supposed to help businesses have a better understanding of how to comply with this complex privacy law.

The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals;

In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. A series of Congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the Internet. As a result, our desire for privacy controls and transparency in data practices is heightened;

People desire more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level of transparency of their business practices.

In order to provide Californians with the ability to have more control over their personal information online, the CCPA provides them with the following rights:

The right to know what personal information is being collected about them;

The right to know whether their personal information is sold or disclosed and to whom;

The right to say no to the sale of their personal information;

The right to access their personal information;

The right to request that you delete their personal information;

The right to equal service and price, even if they exercise their privacy rights.

Since the time that it takes to implement full compliance can be extensive, you will obviously first want to make sure that you and your clients need to comply with this law. The CCPA applies to businesses. A “business” is defined as a for-profit legal entity that does business in California and meets one of the following criteria:

Has annual gross revenues in excess of $25,000,000;

Annually buys, receives, for business commercial purposes, sells or shares the personal information of 50,000 or more Californian consumers, households, or devices; or

Derives 50% or more of its annual revenues from selling the personal information of Californian consumers.

Before you congratulate yourself on being a small business and stop reading though, note that proper management of vendors is a big part of CCPA compliance. This means that if you work with large clients, they may ask you to sign a contract that requires you to be CCPA compliant, even if you do not meet the thresholds above. If your clients act as vendors to large companies, they may be in the same boat as well.

The fines for failing to comply with the CCPA can be steep. Generally, the fines that can be imposed by the Attorney General are $2,500 per violation or $7,500 per intentional violation. “Per violation” means per person whose privacy rights you violated or per website visitor. Even if you have 100 website visitors per month, you can probably see how quickly these fines can add up.

Now that you know what the CCPA is, what rights it affords to Californians and whether it applies to your work, it is time to dive in to how it affects your work as a marketer.

How the CCPA affects marketing

As soon as new laws and regulations are released, there is a flurry of activity and concern. Professionals are quite rightly confused and nervous about what this means for their day to day work. It is important to know that legislators spoke to industry professionals when amending the CCPA and drafting the regulations. The CCPA does not prohibit marketing, it just makes sure that the rights to privacy are respected when marketing is done. In fact, the law itself specifically includes marketing activities such as counting ad impressions and verifying ad quality as legitimate business uses for personal information. Yes, even though it may be a challenge to change your work to comply with a new privacy law, it can certainly be achieved. There are a few main changes that you as a marketer need to be aware of, and we will walk you through those changes right now.

First, if the CCPA applies to you, then you need to have a compliant Privacy Policy. Don’t worry though, we won’t bore you with all of the detailed changes that you will need to make to your Privacy Policy compliant, we will talk only about the changes that are of particular interest to marketers.

The CCPA requires you to disclose for what business purposes you will be using the personal information that you collect. Note that you need to be very thorough in listing those purposes because you will not be able to use the personal information for any purpose that is not listed in your Privacy Policy. If you forget to add a purpose and want to add it later, you will need to directly notify consumers of the new use and obtain explicit consent from consumers for this new purpose.

The following is a non-exhaustive list of purposes that may help you in creating your list:

Auditing transactions that the consumer has entered into;

Counting ad impressions to unique visitors;

Verifying position and quality of ad impressions;

Auditing compliance;

Detecting security incidents;

Protecting against malicious, deceptive, fraudulent, or illegal activity and prosecuting those responsible for those activities;

Debugging to identify and repair errors;

Creating new feature;

Short-term transient use;

Performing services;

Providing customer service;

Processing or fulfilling orders or transactions;

Verifying customer information;

Processing payments;

Providing financing;

Marketing and advertising;

Analytics;

Undertaking internal research for technological development and demonstration;

Participation in surveys and contests;

Enforcing Terms of Service.

Your Privacy Policy will also need to disclose from what sources you collect that personal information. A non-exhaustive list of examples of sources can include:

Information submitted by a consumer;

Social networks;

Surveys;

Tracking pixels;

The observation and tracking of activities by the website over, such as by the use of cookies;

Data resellers.

While a lot of marketers use pixels and cookies to measure the effectiveness of their campaigns, you will notw have to disclose these sources of data. Finally, it is important to note that if you purchase personal information from data resellers, you will have to disclose that as well. Note that some consumers do not take kindly to such practices so you may need to re-evaluate where you get data from to avoid any bad press.

Third, your Privacy Policy needs to disclose whether you have shared any personal data with third parties and the categories of third parties that you have shared data with. Take this time to consider your integrations and all of the tools that you use. If you share personal information with these tools by, for example, inputting your customers’ email into Mailchimp for email marketing, then you need to disclose that in your Privacy Policy. Thankfully though, you do not need to provide the actual names of the third parties, only the categories. Examples of third party categories can include:

Email marketing vendors;

Customer management systems;

Fraud prevention services vendors;

Parties that need to operate the website;

Processors of financial transactions;

Consumer data resellers;

Social networks;

Operating systems and platforms;

Data analytics providers;

Government or law enforcement entities;

Internet Service Providers;

Advertising networks.

As discussed previously, the CCPA provides Californians with certain privacy rights. One of these rights is the ability of the consumer to request that the business delete the personal information that it has about that consumer. What does this new privacy right mean to marketers?

You will no longer be able to directly market to that consumer. While there are exceptions that a business can use to deny the request to delete, marketing is not one of those exceptions; and

You will have to be more careful about the frequency of marketing messages that any given consumer receives. If the consumer feels inundated or overwhelmed by the amount of messaging they receive, they can now just ask you to delete their personal information. This would obviously be a big loss so it’s important to keep frequency in mind.

Californian consumers will also have the right to opt-out or say no to the sale of their personal information. If you buy or sell data, this new right will certainly affect you. If you purchase personal information, the list that you buy will become smaller as consumers opt out of these sales. If you sell the personal information that you collect, be prepared for consumers opting out.

The final right that may be of interest to marketers is the right of consumers not to be discriminated against, even if they exercise their privacy rights. This means that you have to ensure that your marketing messaging or offers to not discriminate against consumers who exercise their rights. The following types of actions would generally be seen as discriminatory:

Denying goods or services to the consumer;

Charging different prices or rates for goods or services, including through the use of discounts or imposing penalties;

Providing a different level or quality of goods or services to the consumer;

Suggesting that the consumer would receive a different price or rate for goods or services or a different level or quality of goods or services.

It is clear that the CCPA affects marketers by increasing the disclosures that need to be made and by providing consumers with new rights with respect to their personal information. This means that transparency will be increased, and practices that consumers may be against will come to light. All of this does not mean that marketing will need to stop entirely. It only means that you should take this time to re-evaluate and determine whether current data practices should continue.

Why the CCPA is not the end

Now that we discussed the CCPA and you’re feeling some steady ground beneath your feet, let’s talk about the future of marking and privacy. GDPR, while certainly not perfect, applies to the collection, use and disclosure of the personal information of residents of the European Union and is one set of rules that everyone who deals with that information must follow. While some legislators are working on it, there is currently no overarching federal law in the United States that deals with the use of personal information online (not counting health information, financial information, or the information of children). Instead of waiting for a federal law, many states have decided to take matters into their own hands by proposing and even passing privacy laws that protect persons residing in those states and their privacy. This makes the current privacy landscape very complicated and is causing issues for businesses.

Currently, there are six federal privacy bills that are being considered. Some of these bills would apply to large businesses only while others would apply to any business that collects personal information of consumers online. All of the bills would require companies to make very specific disclosures in their Privacy Policies and would impose heavy fines for failing to do so. Here is the really interesting part though, while some of these bills would override any state privacy laws, others would not. If a federal law does not override state laws, that means that businesses would have to comply with both the federal and state privacy laws by following the one that’s the strongest or most prohibitive. We’re sure that you can appreciate just how complex that could become. No one is exactly sure whether or when a federal privacy law would be passed but some legislators have stated that the protection of privacy online is their top priority. It seems like we will just have to wait and see what happens at the federal level.

If you get tired of waiting for people to do stuff and would rather just do it yourself, you can sympathise with state legislators. After not seeing much movement at the federal level for a privacy law, these folks decided that they will just do it themselves. As of the time of writing this article, there are a total of nine states that have proposed their own privacy bills. These bills were created to protect the citizens of those states, the businesses. This means that the rules may apply to your business even if you are not physically located in that state. Some bills would require as little as one transaction with a consumer from that state for the bill to apply to a business. All of the bills would require businesses to make changes to their Privacy Policies and to have very specific disclosures in those Privacy Policies. In fact, some of these states even propose that consumers have the ability to sue businesses directly for having a contact form without a Privacy Policy.

If the developments this year have taught us anything, it’s that privacy is not going away. More bills are being proposed and more laws are enacted that require Privacy Policies to be either completely re-written or amended. And, as we have seen with GDPR, enforcement of these laws and the issuance of fines for non-compliance is a reality. Do you have a plan for keeping your Privacy Policy up to date with all of these changes? We hope that you consider using Termageddon. Termageddon is a generator of Privacy Policies, Terms of Service and more, and we update our clients’ policies whenever the laws change, ensuring that you stay compliant.

Donata is the founder and President of Termageddon, an auto-updating Privacy Policy generator. She is a licensed attorney and certified information privacy professional. She also serves as the Newsletter Editor of the American Bar Association – ePrivacy Committee. In her free time, Donata enjoys bee keeping, hunting for morel mushrooms and walks with her fiancé and two dogs.